Scribd Logo
Upload

Welcome to Scribd!

  • (Almost) Everything About Passwords That OWASP OWASPGbg 20140218 Per Thorsheim

    Uploaded by

    Vicky Zulfikar
    11 views36 pages
    The document provides an overview of passwords and authentication, including: - Passwords are ubiquitous for authentication but also predictable and insecure. - Studies have shown patterns in PIN and password choices that make them easy to guess. - Two-factor authentication is recommended to improve security but is not always implemented by default. - Usability and security should be balanced for authentication, especially on mobile devices. - Conferences like PasswordsCon aim to discuss improving password and authentication practices.

    Original Description:

    Original Title

    (Almost)_everything_about_passwords_that_OWASP_OWASPGbg_20140218_Per_Thorsheim

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides an overview of passwords and authentication, including: - Passwords are ubiquitous for authentication but also predictable and insecure. - Studies have shown patterns in PIN and password choices that make them easy to guess. - Two-factor authentication is recommended to improve security but is not always implemented by default. - Usability and security should be balanced for authentication, especially on mobile devices. - Conferences like PasswordsCon aim to discuss improving password and authentication practices.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views36 pages

    (Almost) Everything About Passwords That OWASP OWASPGbg 20140218 Per Thorsheim

    Uploaded by

    Vicky Zulfikar
    The document provides an overview of passwords and authentication, including: - Passwords are ubiquitous for authentication but also predictable and insecure. - Studies have shown patterns in PIN and password choices that make them easy to guess. - Two-factor authentication is recommended to improve security but is not always implemented by default. - Usability and security should be balanced for authentication, especially on mobile devices. - Conferences like PasswordsCon aim to discuss improving password and authentication practices.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 36

    (Almost) everything about passwords

    that OWASP won’t teach you.

    Per Thorsheim
    OWASP Cheat Sheets

    Password Storage Authentication


    Cheat Sheet Cheat Sheet

    Forgot Password Pinning


    Cheat Sheet Cheat Sheet
    Work / Life
    Flowchart.

    (As a CISO)
    Account creation
    form @ikea
    --------
    Please enter
    preferred username
    + password.
    Online bank in Kuwait
    Usability in a nutshell
    Passwords are *everywhere*
    17yr teens – pick your PIN

    Girls Boys
    1996 1337
    1996
    Digit distribution for PINs
    4-digit memorable 4-digit non-memorable 7-digit memorable

    Digit 0 is not «random» enough?

    Digit 6 is hard to remember?

    Thank you to Andrey Bogdanov, Sondre Rønjom & Jan Fredrik Leversund for great help!
    Heatmapping PINs
    Rockyou iPhone Physical access
    Control system

    Radical.org/pinmap
    By @kluzz

    A birthday present every eleven wallets? The security of customer-chosen banking PINs
    http://www.cl.cam.ac.uk/~jcb82/doc/BPA12-FC-banking_pin_security.pdf
    http://www.cl.cam.ac.uk/~jcb82/doc/BPA12-FC-banking_pin_security-slides_ss.pdf

    Daniel Amitay:
    http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes
    Look, and you shall see… PINs.
    Guess What?

    YOU ARE
    PREDICTABLE!
    What’s the value of a password?
    Consequences?

    http://arstechnica.com/security/2013/04/hacked-ap-twitter-feed-rocks-market-after-sending-false-news-flash/
    Tuesday, June 5, 2012, on Twitter:
    Lessons from Linkedin
    Mobile Usability #1
    Keys to small.
    FINGERS
    TOO BIG!
    PIN on Phone =
    Oh Please GOD, equals PIN on
    NO CAPTCHAS Introduction to Dropbox!
    ON PHONES! app should (Why no other
    include security options for the
    EVER! features? paranoid?)
    Foursquare – Verify mail account
    Lastpass – iOS & Android

    Unknown address,
    or wrong format?
    Default do not Display password
    Can we verify mail show password? option = GOOD!
    addresses? Do not remember (Default on?)
    password?
    Tip For Mobile Usability:

    =
    Johansen
    56426736
    Password Meters
    Google
    account
    creation
    Give
    sound
    advice
    --
    Recommend
    2FA
    «Secret» Mail + Phone #

    Facebook
    2FA in use! 
    Starttls.info
    RFC 2487 -> RFC 3207

    Transparent opportunistic encryption using


    SSL/TLS between to SMTP servers

    RFC requires public servers to accept sending &


    receiving plaintext

    Self-signed, expired, SSLv2, RC4, MD5,


    Anonymous DH, 40-56 bits encryption keys…

    We’ve found the dark side of SSL!


    (please contribute by testing domains.)
    Operation Face Factor
     Unique opportunity (!)
     5000+ «headshots»
     Passwords + other information available
     Analyze!
    Categorization

    Sex
    Glasses (Y/N)
    Hair color
    Facial hair
    … and the results?
    Women prefer length.

    Men prefer wider selection (entropy).

    «Unix gurus» have the worst passwords.


    Getting hacked may be good?
    PasswordsCon
    Las Vegas, Aug 5-6
    co-located with
    BSidesLV

    Trondheim (Norge)
    Dec 7-8

    passwordscon.org
    Applied Risk Analysis
    A final note + video

    «Never write down your password»


    Thank you!
    in/thorsheim
    securitynirvana.blogspot.com
    @thorsheim
    /GodPraksis
    /user/thorsheim
    per.thorsheim

    Available on RedPhone for Android

    You might also like